Russia has tightened liability for violation of laws on personal data protection and information dissemination
Liability for personal data protection and information dissemination has been tightened in Russia since December 02, 2019.[1]
Crux of the matter
- Amendments provide for the introduction of a special liability in the Russian Code of Administrative Offenses if operators[2] fail to comply with personal data localization requirements.[3] These requirements provide for certain processing actions with personal data to be performed using databases located in Russia.
- The law has also introduced liability for repeated violation of certain requirements of the law on personal data[4] and the law on information, information technology and protection of information.[5] Overall, the law provides for liability in the form of a fine of up to RUB 18 million.
According to the initiators of the changes, the main purpose of these amendments is to provide for a fair (proportionate) liability in case of violation of the law by entities processing personal data and disseminating information. For example, previously Russian Code of Administrative Offenses didn’t provide for any special liability for breaching of personal data localization rules. Under the new law, operators will be fined up to RUB 6 million for violation of localization requirements, and in case of a repeated offense, they will be fined up to RUB 18 million.
Who will be affected?
The new fines could be imposed on Russian and international companies that collect and process personal data of Russian citizens (employees, customers), including aggregators, agencies (travel agencies), online stores, internet services offering platforms for discussions (blog platforms, social networks), online cinemas, messengers, search engines, etc.
The changes introduced to the law are described in the table below:
| Entity | Violation | Liability | Ground | Obligation | |
| 1. | Personal data operator | Failure to comply with localization requirements | Fine from RUB 1 million to RUB 6 million
Repeated violation: Fine from RUB 6 million to RUB 18 million |
Article 13.11(8,9) Russian Code of Administrative Offenses | Article 18(5) Personal Data Law |
| 2. | Online information host |
Repeated violation of obligation to notify authorized body about starting of activity to ensure functioning of information systems and/or computer program for receipt, transfer, delivery and/or processing of electronic messages |
Fine from RUB 500,000 to RUB 1 million | Article 13.31(11) Russian Code of Administrative Offenses | Article 10.1(2) Law On Information, Information Technology and Protection of Information |
| Repeated violation of obligation to store and/or provide to the authorized bodies information about receipt, transfer, delivery and/or processing of voice data, written text, images, sounds or other electronic messages from internet users and information about such users | Fine from RUB 2 million to RUB 6 million
|
Article 13.31(22) Russian Code of Administrative Offenses | Article 10.1(3) Law On Information, Information Technology and Protection of Information | ||
| Repeated failure to submit to the authorized body information for decoding electronic messages | Fine from RUB 2 million to RUB 6 million
|
Article 13.31(22) Russian Code of Administrative Offenses | Article 10.1(4.1) Law On Information, Information Technology and Protection of Information | ||
| Repeated failure to fulfill the obligation to meet the requirements for equipment and hardware and software in operating of IT-system for law enforcement intelligence operations or for ensuring the security of Russia | Fine from RUB 2 million to RUB 6 million
|
Article 13.31(4) Russian Code of Administrative Offenses | Article 10.1(4) Law On Information, Information Technology and Protection of Information | ||
| 3. | Owner of audiovisual service | Re-diffusion of television channel, television program not registered as mass media or diffusion of such after adoption of a decision to stop or suspend broadcasting of TV channel or TV program | Fine from RUB 700,000 to RUB 1 million | Article 13.35(2) Russian Code of Administrative Offenses | Article 10.5(1(5)) Law On Information, Information Technology and Protection of Information |
| Repeated violation of established procedure for dissemination among children of information harmful to their health and/or development | Fine from RUB 500,000 to RUB 1 million | Article 13.36(2) Russian Code of Administrative Offenses | Article 10.5(1(2)) Law On Information, Information Technology and Protection of Information | ||
| Re-distribution of information calling for terrorist activities, publicly justifying terrorism | Fine from RUB 1.5 million to RUB 5 million | Article 13.37(2) Russian Code of Administrative Offenses | Article 10.5(1(1)) Law On Information, Information Technology and Protection of Information | ||
| 4. | Instant messenger | Repeated failure to fulfill obligations provided by law | Fine from RUB 1 million to RUB 2 million
|
Article 13.39(2) Russian Code of Administrative Offenses | Article 10.1(4.2) Law On Information, Information Technology and Protection of Information |
| 5. | Search engine | Repeated failure to fulfill the obligation to connect to the federal state information system for information resources, information and telecommunication networks, access to which is limited in Russia | Fine from RUB 1.5 million to RUB 5 million | Article 13.40(21) Russian Code of Administrative Offenses | Article 15.8(5) Law On Information, Information Technology and Protection of Information |
| Repeated failure to fulfill the obligation to end in Russia, at the request of search engine users, issuing information about information resources, information and telecommunication networks, access to which is limited in Russia | Fine from RUB 1.5 million to RUB 5 million | Article 13.40(21) Russian Code of Administrative Offenses | Article 15.8(8) Law On Information, Information Technology and Protection of Information | ||
| Repeated failure to fulfill the obligation to stop in Russia, at the request of search engine users, issuing information about domain name and URL, access to which is limited under the relevant Moscow City Court decision, or copies of blocked sites | Fine from RUB 1.5 million to RUB 3 million | Article 13.40(4) Russian Code of Administrative Offenses | Article 15.6(2.1) Law On Information, Information Technology and Protection of Information |
At your request, we would be pleased to provide you with more detailed advice on the requirements for personal data protection and information dissemination, so please do not hesitate to contact us if necessary.
If you have any questions or would like to discuss the above changes in more detail, please feel free to write to Ekaterina Belyaeva.
Yours faithfully,
[1] Federal Law No. 405-FZ Amending Certain Legislative Acts of the Russian Federation (http://publication.pravo.gov.ru/Document/View/0001201912020045?index=0&rangeSize=1)
[2] An entity processing personal data determines the purpose for processing, the composition of personal data as well as the actions regarding personal data (Article 3(2) Personal Data Law)
[3] Article 18(5) Personal Data Law
[4] Federal Law No. 152-FZ On Personal Data dated July 27, 2006
[5] Federal Law On Information, Information Technology and Protection of Information No. 149-FZ dated July 27, 2006